FreeIPA is Red Hat’s integrated Identity, Policy, and Audit solution that bundles a 389 Directory Server (LDAP), MIT Kerberos KDC, a PKI based on Dogtag, and an NTP server behind a unified management interface. It is the upstream project for Red Hat Identity Management (IdM) and is designed to be the authoritative identity source for Linux fleets. FreeIPA dramatically simplifies the deployment of centralised authentication compared to configuring OpenLDAP and Kerberos individually. This tutorial installs a standalone FreeIPA server on RHEL 9 and enrols a client machine.
Prerequisites
- RHEL 9 server with at least 2 GB RAM and 10 GB free disk (FreeIPA is resource-intensive)
- A fully qualified hostname set and resolvable forward and reverse DNS (e.g.,
ipa.example.com) - The server hostname must not resolve to 127.0.0.1 — configure
/etc/hostswith the real IP - All required ports open: 80, 443, 389, 636, 88 (TCP/UDP), 464 (TCP/UDP), 749
- System clock synchronised (chrony recommended)
Step 1 — Set the FQDN and Configure /etc/hosts
FreeIPA is extremely sensitive to hostname resolution. Set the server’s FQDN persistently and ensure /etc/hosts maps the real IP address to the FQDN — never to the loopback address.
hostnamectl set-hostname ipa.example.com
# Edit /etc/hosts and add the real IP
echo "203.0.113.10 ipa.example.com ipa" >> /etc/hosts
# Verify — must return the FQDN, not localhost
hostname -fOpen all required firewall services:
firewall-cmd --permanent --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns}
firewall-cmd --permanent --add-port=749/tcp
firewall-cmd --reloadStep 2 — Install FreeIPA Server Packages
Install the core server package and the optional integrated DNS server. The DNS module uses BIND and allows FreeIPA to manage DNS zones automatically, which greatly simplifies client enrolment.
dnf install -y freeipa-server freeipa-server-dnsNo service should be started manually — ipa-server-install handles all initialisation.
Step 3 — Run ipa-server-install
The installer can run interactively or with all parameters on the command line. The unattended form below sets up the integrated DNS server, uses no external forwarders (suitable for isolated lab environments — remove --no-forwarders in production and provide real resolver IPs), and sets the Directory Server and admin passwords. Replace realm, domain, and passwords as needed.
ipa-server-install
--realm=EXAMPLE.COM
--domain=example.com
--ds-password=DirectoryServicePassword1!
--admin-password=AdminPassword1!
--setup-dns
--no-forwarders
--hostname=ipa.example.com
--ip-address=203.0.113.10
--unattendedThe installer takes 5–15 minutes. It will configure LDAP, Kerberos, the certificate authority, DNS, and the web UI, then start all required systemd services.
Step 4 — Verify the Installation and Access the Web UI
After installation, obtain a Kerberos ticket for the admin account and run a quick check:
kinit admin
ipa user-find adminThe FreeIPA web UI is available at https://ipa.example.com/ipa/ui. Log in with the admin account using the password provided during installation. The UI provides full management of users, groups, hosts, services, DNS records, certificates, sudo rules, and HBAC policies. Verify all core services are running:
ipactl statusStep 5 — Enrol a Client Machine
On the client machine, install the FreeIPA client package and run the enrolment command. The client must be able to resolve ipa.example.com — if you are using FreeIPA’s integrated DNS, configure the client to use the IPA server as its resolver first.
# On the client machine
dnf install -y freeipa-client
ipa-client-install
--server=ipa.example.com
--domain=example.com
--realm=EXAMPLE.COM
--principal=admin
--password=AdminPassword1!
--mkhomedir
--unattendedAfter enrolment, the client is registered as a host in FreeIPA. Test that LDAP/Kerberos authentication resolves users from the directory:
id [email protected]Step 6 — Configure Sudo Rules and HBAC Policies
FreeIPA centralises sudo rules and Host-Based Access Control policies. Create a sudo rule that grants the sysadmins group full sudo access on all enrolled hosts, and an HBAC rule that restricts SSH access to that group only. All commands are run on the IPA server with a valid admin ticket.
# Create a group and add a user
ipa group-add sysadmins --desc="System Administrators"
ipa user-add jdoe --first=John --last=Doe --password
ipa group-add-member sysadmins --users=jdoe
# Create a sudo rule granting full access
ipa sudorule-add allow_sysadmins --hostcat=all --cmdcat=all --runasusercat=all --runasgroupcat=all
ipa sudorule-add-user allow_sysadmins --groups=sysadmins
# Create an HBAC rule allowing sysadmins SSH access to all hosts
ipa hbacrule-add allow_sysadmins_ssh --servicecat=all --hostcat=all
ipa hbacrule-add-user allow_sysadmins_ssh --groups=sysadmins
# Disable the default permissive HBAC rule once restrictive rules are in place
ipa hbacrule-disable allow_allTest HBAC rules without actually attempting a login:
ipa hbactest --user=jdoe --host=client.example.com --service=sshdConclusion
You have deployed a fully functional FreeIPA server on RHEL 9 with integrated DNS, Kerberos, LDAP, and a certificate authority. A client machine has been enrolled into the domain, and centralised sudo and HBAC policies are now enforcing access control across your infrastructure. FreeIPA provides a single management plane for identity, authentication, and authorisation on Linux.
Next steps: How to Configure Kerberos Authentication on RHEL 9, How to Set Up LDAP with OpenLDAP on RHEL 9, and How to Configure FreeIPA Replication for High Availability on RHEL 9.
